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■ (U) "The Onion Router" 

■ (U) Enables anonymous internet activity 

a General privacy 
° Non-attribution 
Circumvention of nation state internet policies 

■ (U) Hundreds of thousands of users 

D Dissidents (Iran, China, etc) 
(S//SI//REL) 

(S//SI//REL) Other targets too! 
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(U)TOR Browser Bundle 

° Portable Firefox 10 ESR (tbb-firefox.exe) 
° Vidalia 
D Polipo 
TorButton 

° TOR 

D "idiot-proof" 




(TS//SI//REL) Fingerprinting TOR 
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Windows XP 
Firefox 10.0.5 ESR? 

■ 32-bit Windows 7 

■ Firef ox/10.0 

64-bit Mac OS X 
Firefox 10.0.4 ESR? 

■ 32-bit Windows 7 

■ Firef ox/10.0 



Firefox 10.0.7 ESR? 

■ 32-bit Windows 7 

■ Firef ox/10.0 

64-bit Windows 7 

Firefox 10.0.10 ESR? 

■ 32-bit Windows 7 

■ Firefox/10.0 



Windows 7 



32-bit Windows 7 



(TS//SI//REL) BuildID gives a timestamp for 
when the Firefox release was built 



2012102 
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Year Month Day Hour Min Sec 

(TS//SI//REL) tbb-firefox' s BuildID 



] (TS//SI//REL)FingerprintingTOR @m 



■ (TS//SI//REL)TorButton cares about TOR 
users being indistinguishable from TOR users 

■ (TS//SI//REL) We only care about TOR users 
versus non-TOR users 

■ (TS//SI//REL) Thanks to TorButton, it' seasy! 




(TS//SI//REL) Exploiting TOR 
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(TS//SI//REL) tbb-firefox is barebones 

n Flash is a no-no 

° NoScript addon pre-installed... 
...but not enabled by default! 

TOR explicitly advises against using any addons or 
extensions other than TorButton and NoScript 

(TS//SI//REL) Need a native Firefox exploit 



(TS//SI//REL) ERRONEOUSINGENUITY 

n Commonly known as ERIN 

° First native Firefox exploit in a long time 

a Only works against 13.0-16.0.2 

(TS//SI//REL) EGOTISTICALGOAT 

° Commonly known as EGGO 
° Configured for 11.0-16.0.2... 

...but the vulnerability also exists in 10.0! 



i (U) EGOTISTICALGOAT 



■ (TS//SI//REL) Type confusion vulnerability in 
E4X 

■ (TS//SI//REL) Enables arbitrary read/write 
access to the process memory 

■ (TS//SI//REL) Remote code execution via the 
CTypes module 



(TS//SI//REL) Exploiting TOR 



■ (TS//SI//REL) Can't distinguish OS until on box 

n That's okay 

■ (TS//SI//REL) Can't distinguish Firefox version 
until on box 

° That's also okay 

■ (TS//SI//REL) Can't distinguish 64-bit from 32- 
bit until on box 

I think you see where this is going 
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(TS//SI//REL) Callbacks from TOR 
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(TS//SI//REL) Callbacks from TOR 



■ (TS//SI//REL) Tests on Firefox 10 ESR worked 

■ (TS//SI//REL) Tests on tbb-firefox did not 

n Gained execution 

° Didn't receive FINKDIFFERENT 

■ (TS//SI//REL) Defeated by Prefilter Hash! 

D Requests EGGI: Hash(tor_exit_ip || session_id) 
D Requests FIDI: Hash(target_ip || session_id) 



(TS//SI//REL) Easy fix 

n Turn off prefilter hashing 
FUNNELOUT 

(TS//SI//REL) OPSEC Concerns 

a Pre-play attacks 

■ PSPs 

■ Adversarial Actors 
Targets worth it? 
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(S//SI//REL)TheTOR Problem 
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(TS/'/Si/'/REL) Expiui Liny TOR 
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